xen/CVE-2015-6815-qemuu-e1000-fix-infinite-loop.patch

References: bsc#944697

From: P J P <address@hidden>

While processing transmit descriptors, it could lead to an infinite
loop if 'bytes' was to become zero; Add a check to avoid it.

[The guest can force 'bytes' to 0 by setting the hdr_len and mss
descriptor fields to 0.
--Stefan]

Signed-off-by: P J P <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
---
 hw/net/e1000.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Index: xen-4.5.1-testing/tools/qemu-xen-dir-remote/hw/net/e1000.c
===================================================================
--- xen-4.5.1-testing.orig/tools/qemu-xen-dir-remote/hw/net/e1000.c
+++ xen-4.5.1-testing/tools/qemu-xen-dir-remote/hw/net/e1000.c
@@ -707,7 +707,8 @@ process_tx_desc(E1000State *s, struct e1
                 memmove(tp->data, tp->header, tp->hdr_len);
                 tp->size = tp->hdr_len;
             }
-        } while (split_size -= bytes);
+            split_size -= bytes;
+        } while (bytes && split_size);
     } else if (!tp->tse && tp->cptse) {
         // context descriptor TSE is not set, while data descriptor TSE is set
         DBGOUT(TXERR, "TCP segmentation error\n");
- bsc#945164 - Xl destroy show error with kernel of SLES 12 sp1 5537a4d8-libxl-use-DEBUG-log-level-instead-of-INFO.patch - Upstream patches from Jan 55dc78e9-x86-amd_ucode-skip-updates-for-final-levels.patch 55dc7937-x86-IO-APIC-don-t-create-pIRQ-mapping-from-masked-RTE.patch 55df2f76-IOMMU-skip-domains-without-page-tables-when-dumping.patch 55e43fd8-x86-NUMA-fix-setup_node.patch 55e43ff8-x86-NUMA-don-t-account-hotplug-regions.patch 55e593f1-x86-NUMA-make-init_node_heap-respect-Xen-heap-limit.patch 54c2553c-grant-table-use-uint16_t-consistently-for-offset-and-length.patch 54ca33bc-grant-table-refactor-grant-copy-to-reduce-duplicate-code.patch 54ca340e-grant-table-defer-releasing-pages-acquired-in-a-grant-copy.patch - bsc#944463 - VUL-0: CVE-2015-5239: qemu-kvm: Integer overflow in vnc_client_read() and protocol_client_msg() CVE-2015-5239-qemuu-limit-client_cut_text-msg-payload-size.patch CVE-2015-5239-qemut-limit-client_cut_text-msg-payload-size.patch - bsc#944697 - VUL-1: CVE-2015-6815: qemu: net: e1000: infinite loop issue CVE-2015-6815-qemuu-e1000-fix-infinite-loop.patch CVE-2015-6815-qemut-e1000-fix-infinite-loop.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=375 2015-09-16 16:29:39 +00:00			`References: bsc#944697`

			`From: P J P <address@hidden>`

			`While processing transmit descriptors, it could lead to an infinite`
			`loop if 'bytes' was to become zero; Add a check to avoid it.`

			`[The guest can force 'bytes' to 0 by setting the hdr_len and mss`
			`descriptor fields to 0.`
			`--Stefan]`

			`Signed-off-by: P J P <address@hidden>`
			`Signed-off-by: Stefan Hajnoczi <address@hidden>`
			`---`
			`hw/net/e1000.c \| 3 ++-`
			`1 file changed, 2 insertions(+), 1 deletion(-)`

			`Index: xen-4.5.1-testing/tools/qemu-xen-dir-remote/hw/net/e1000.c`
			`===================================================================`
			`--- xen-4.5.1-testing.orig/tools/qemu-xen-dir-remote/hw/net/e1000.c`
			`+++ xen-4.5.1-testing/tools/qemu-xen-dir-remote/hw/net/e1000.c`
			`@@ -707,7 +707,8 @@ process_tx_desc(E1000State *s, struct e1`
			`memmove(tp->data, tp->header, tp->hdr_len);`
			`tp->size = tp->hdr_len;`
			`}`
			`- } while (split_size -= bytes);`
			`+ split_size -= bytes;`
			`+ } while (bytes && split_size);`
			`} else if (!tp->tse && tp->cptse) {`
			`// context descriptor TSE is not set, while data descriptor TSE is set`
			`DBGOUT(TXERR, "TCP segmentation error\n");`